← Back to context

Comment by ekimekim

6 years ago

On the subject of the IP leaking: Note that IPv4 only has 2^32 addresses, and people can and do mass scan all of them (see here shodan.io). If your service is exposing any identifiable information (ie. if it's not completely blocking all non-cloudflare IPs) then it's fairly easy to find even if it's "unguessable".

Cloudflare EM for DDoS Protection here.

If a customer wants to hide their IP then the best way to do it:

1. Onboard onto Cloudflare

2. Audit your app and ensure you aren't leaking your IP (are you sending email directly? making web calls directly? - make adjustments to use APIs of other providers, i.e. send emails via Sendgrid API, etc)

3. Change your IP (it was previously public knowledge in your DNS records)

At this point your IP should be unknown, so...

4. Use `cloudflared` and https://www.cloudflare.com/en-gb/products/argo-tunnel/ to have your server call us, rather than us call you (via DNS A / AAAA records)

Because this connects a tunnel from your server, you can configure iptables and your firewall to close everything :)

Here's the help info: https://developers.cloudflare.com/argo-tunnel/quickstart/

PS: to the OP I tried to contact you via keybase, feel free to ping my email. We are working to improve the DDoS protection for attacks in the range you were impacted by and the product manager would enjoy your feedback if you're willing to share them in the new year.

  • Is cloudflare affordable for an open source and low-funds project? (I honestly don't know the pricing, this isn't meant to be argumentative)

    • We have a free tier, and the caching and firewall is good enough on that tier - I use it :)

      The DDoS protection is the same across all tiers - it's built in and you aren't charged for that. You even see other features (like the Rate Limit feature cited in the article) explicitly structure their pricing so that you are not charged for attack traffic even if you are on a paid plan or feature.

      For small denial of service attacks the Security Level switch is very good at stopping the vast majority of attack traffic, and then the IP blocking and User Agent blocking is good too - this is available on the free plan, as are a handful of Firewall Rules that can allow complex expressions to match and drop traffic.

      So you can get a very long way on the free plan.

      Paid features I'd recommend if you want to stay on the free plan month-to-month yet go paranoid for a small cost:

      1. Rate Limit, configure it on your dynamic endpoints to minimise the costs to you but have it highly effective against attacks. Predicted cost is relative to how many requests for dynamic endpoints you have... you can be smart here and combine with Firewall Rules to drop traffic that does not have auth credentials.

      2. Argo Tunnel, to hide your IP.

      There are other plan level benefits, and the most notable is the quantity of Firewall Rules per plan level and the complexity they allow: https://www.cloudflare.com/en-gb/plans/

      1 reply →

  • hey, OP here

    I'm no longer on keybase, deleted it a few days ago - but I'm more than happy to share what I found if you want

    pretty sure it's nothing groundbreaking though

    other contact methods are listed on my profile

    (edit: by OP I mean article author)

Well, that would only work if the other end responds to a request to the IP address with a cert that includes the proper domain.

If you setup Cloudflare properly, then you only see a CF-based certificate, not that actual hostnames. Since you didn't send a proper hostname (unless you use PTR, which isn't reliable either) it'll use whatever default hostname it has configured (or just close the connection).

Or in a case like my setup, you'll get an empty 0-byte response if no Host: header is present. The certificate is a wildcard for the primary domain the server runs, not even related to the mastodon service.

And of course, this post contains enough information to probably nail it down but on the other hand, mass scanning the internet is a lot of trouble.

  • This is huge. There are a ton of mis-configured Apache and nginx reverse proxies out there that expose the primary domain name of the site being served. You can quickly test this for yourself by running "curl -vk https://your.ip.address" and see what pops up for the CN field or Location header.

    Even worse is the pattern of requesting LetsEncrypt certificates for multiple domains on one certificate. Now all of a sudden you're leaking development server hostnames, peeling off the white label of multi-tenant, and making things easier for automated scanners.

    I get it that security by hostname obscurity is a poor practice on its own, but there's also something to be said for cutting down a large amount of malicious traffic with some common best practices.

    • Hence I use Wildcard LE certs, it helps a lot as well as using bogus or non-CA'd certificates if no host name is supplied (or just sending 0 byte pages with no useful data)

yep, i had the same thought

which is what led me to block all other IPs - it's not the hardest thing to just make an openssl req and get the common names of the certificate returned

especially if you know the hosting provider, which narrows down the ip space significantly